Jan 23, 2025Ravie LakshmananMalware / Threat Intelligence
A new BackConnect (BC ) trojan that was created by threat actors in connection with the legendary QakBot load has been revealed by cybersecurity experts.
BackConnect is a common element or module used by threat actors to keep persistence and carry out tasks, according to Walmart’s Cyber Intelligence team, according to The Hacker News. ” The BackConnect ( s ) in use were’ DarkVNC’ alongside the BackConnect ( Key Hole )”.
The company pointed out that the BC module was discovered on the same infrastructure that was discovered distributing another malware loader called ZLoader, which has recently been updated to include a Domain Name System ( DNS ) tunnel for command-and-control ( C2 ) communications.
QakBot, also known as Pinkslipbot and QBot, experienced a significant operating loss in 2023 as a result of a coordinated law enforcement operation dubbed Duck Hunt. Since then, occasional strategies have been discovered that spread the malware.
It was first developed as a bank trojans and afterwards transformed into a loader capable of delivering target systems, like ransomware, with next-stage payloads. Along with IcedID, the QakBot’s BC package, which enables the threat actors to use the number as a proxy and provide a remote-access channel via an embedded VNC component, is a distinctive feature.
Walmart’s research has revealed that the BC package, besides containing references to ancient QakBot samples, has been further enhanced and developed to collect program information, more or less acting as an intelligent program to help follow-on exploitation.
The malware we’re talking about here is a standalone secret that uses BackConnect as a means of allowing a danger actor to gain hands-on keyboard access, according to Walmart. This distinction is made even more so by the fact that program information is collected by this secret.
Sophos, an impartial analysis that linked the BC ransomware to a danger cluster known as STAC5777, which overlaps with , a fraudster group known for using Quick Assist to deploy Black Basta ransomware by posing as technical support personnel, also cited the BC malware.
The American security firm noted that both STAC5777 and STAC5143, a risk group with potential relationships to , have used and Microsoft Teams to trick potential targets into giving them remote access to their computers using Quick Assist or Teams ‘ built-in screen sharing to deploy Python backdoors and Black Basta ransomware, respectively.
In addition to using a proxy Microsoft Teams settings that allows users on additional domains to conduct chats or meetings with internal users,” Both threat actors operated their own Microsoft Office 365 service tenants as part of their attacks,” Sophos .
The development of a new BC module, in addition to the fact that Black Basta has also ZLoader in recent months, paints a picture of a highly interconnected cybercrime ecosystem where the developers behind QakBot are likely supporting the Black Basta team with new tools, according to Walmart.
Found this article interesting? Follow us on and Twitter to access more exclusive content.